2007 matches found
[SECURITY] Fedora 43 Update: openbao-2.5.2-1.fc43
Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, us ers can access an encrypted Key/Value store and network...
CVE-2026-34572
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...
CVE-2026-34570
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...
📄 listmonk Session Persistence
listmonk has a flaw where sessions persist as valid after password reset and password change. CVE-2026-34828 listmonk’s Session Persistence After Password Reset and Password Change Intro I found this issue while reviewing listmonk, an open-source newsletter and mailing list manager, with a simple...
listmonk's active sessions remain valid after password reset and password change
Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...
GHSA-H5J9-CVRW-V5QH listmonk's active sessions remain valid after password reset and password change
Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...
CVE-2026-34572
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...
CVE-2026-34570
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...
EUVD-2026-18089
CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation Logic Flaw...
EUVD-2026-18086
CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation Logic Flaw...
CVE-2026-34572
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...
CVE-2026-34570
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...
GHSA-HVC7-763R-4F3H openssl-encrypt has no owner verification on key revocation — any client can revoke any key
Summary The revokekey method in opensslencryptserver/modules/keyserver/service.py at lines 195-270 accepts a clientid parameter but never verifies that the requesting client is the same as key.ownerclientid. Impact Any authenticated client can revoke any other client's key, as long as they provid...
openssl-encrypt has no owner verification on key revocation — any client can revoke any key
Summary The revokekey method in opensslencryptserver/modules/keyserver/service.py at lines 195-270 accepts a clientid parameter but never verifies that the requesting client is the same as key.ownerclientid. Impact Any authenticated client can revoke any other client's key, as long as they provid...
CVE-2026-34503
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...
PT-2026-29636
Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not immediately revoke active user sessions when an account is deactivated. This is due to a logic flaw where account state changes are only enforced during login, not for...
PT-2026-29816
Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...
PT-2026-29634
Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not immediately revoke active user sessions when an account is deleted. This is due to a logic flaw where account state changes are only enforced during login, not for existing...
GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...